MCP OAuth scope support + best‑practice authorization challenges #204
Description
Is your feature request related to a problem? Please describe.
The MCP server currently lacks a formal, spec‑aligned way to advertise and enforce authorization scopes for MCP tools/resources. This makes it hard for clients to request least‑privilege access, and prevents the MCP server from returning correct insufficient_scope challenges when access is missing. We also need a clear, documented scope set for the beta and a rationale for why MCP scopes are required in addition to Tableau API scopes.
Describe the solution you'd like
Implement MCP scope support end‑to‑end per the MCP authorization spec:
Add scope configuration knobs (OAUTH_SCOPES_SUPPORTED, OAUTH_REQUIRED_SCOPES, OAUTH_DISABLE_SCOPES).
Advertise scopes_supported in OAuth metadata.
Parse/validate requested scopes at /oauth/authorize and /oauth/token.
Persist scopes through auth code and refresh flows and include scopes in issued access tokens.
Enforce required scopes with WWW-Authenticate challenges and insufficient_scope errors.
Document a recommended inclusive scope set (MCP + Tableau API scopes) for the beta and explain why MCP scopes are needed even without token exchange.
Additional context
This aligns with MCP authorization guidance and Andy Young’s advice: scopes are MCP‑defined and needed to protect MCP‑specific tools/prompts/resources (not all MCP operations call Tableau APIs). We’ll keep Server in no‑scope mode for now via OAUTH_DISABLE_SCOPES=true, and avoid token exchange until a future phase.